In Business Central, managing Permission Sets is not always straightforward. You can add or reference existing permission sets within another, creating a hierarchical structure. Within these Permission Sets, there could be Include and Exclude of the same object.
Hence, in today’s post, we’ll walk through Permission Sets in Business Central, explaining how they work and how to configure them effectively.
Understanding permission hierarchy is crucial when multiple permission sets involved, as there are rules that determines how access rights are combined and applied.
- Assigning Two Permission Sets w/ Include
- Referencing Permission Sets w/ Include
- Referencing Permission Sets w/ Include & Exclude – Lower Hierarchy
- Referencing Permission Sets w/ Include & Exclude – Higher Hierarchy
- Assigning Two Permission Sets w/ Include & Exclude
- Assigning Referencing Permission Sets w/ Include & Exclude
- Key Takeaways
Assigning Two Permission Sets w/ Include
When assigning multiple Permission Sets, the user receives a combined set of permissions.
This is the simpliest and most commonly implemented.
Referencing Permission Sets w/ Include
A Permission Set can reference another Permission Set, creating a hierarchical or nested structure for easier management.
This way, you can simplify and reduce the number of Permission Sets assigned to the user.
In this example, the user has RIMD access to TableID 23, even though “Permission – B” only grants R access. This happens due to inherited permissions from another assigned set.
When handling such scenario, the consultant must be very mindful of the referenced Permission Sets, as they play a crucial role in determining the effective permissions granted to the user.
Referencing Permission Sets w/ Include & Exclude – Lower Hierarchy
Using the same Referencing Permission Set example, but this time with the Exclude permission.
You can see that the Permission Set higher in the hierarchy will override the permissions of those lower in the hierarchy.
In this example, “Permission – A2” Exclude M access is supersede by “Permission – A1” where it provide M access.
Referencing Permission Sets w/ Include & Exclude – Higher Hierarchy
Using the same Referencing Permission Set example again, but this time with the Exclude permission on the higher hierarchy.
In this example, we will reverse the permissions assigned from before.
With the Exclude M access on “Permission – A1” and “Permission – A2” with RIMD access.
Here, you can see that the Permission Set higher in the hierarchy will supersede the permissions of those lower in the hierarchy.
Assigning Two Permission Sets w/ Include & Exclude
So now, you understood that Permission Set higher in the hierarchy will supersede the permissions of those lower in the hierarchy.
What happened when you have the same hierarchical level of Permission Sets with Include and Exclude?
In this example, I will demonstrate Permission Set at the same hierarchical level.
You can see that the Include permission will take priority over the Exclude permission when on the same hierarhical level.
Assigning Referencing Permission Sets w/ Include & Exclude
The hierarchical level is not solely on the Permission Sets assigned to the user.
Permission Sets with references also have their own hierarchical level.
In this example, I will demonstrate with a Permission Set referencing with two other Permission Sets that has Include and Exclude of the same object ID.
The result is the same, the Include permission takes priority over the Exclude permission when they are on the same hierarchical level.
Note: In this example, “Permission – A1” is not referencing to “Permission – A2”.
Key Takeaways
- Higher hierarhical Permission Set takes priority over referenced Permission Set.
- Include takes priority over Exclude when at higher hierarchical level.
- Include takes priority over Exclude when on the same hierarchical level.
